TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 2d0bd329829ba9f88f82ea7a0f710a93a2b33d8c / . / library / ssl_tls13_generic.c
blob: b7084067f5f7dd91a0a99fbda066d08d64acdc7b [file] [log] [blame]
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]1/*
2 * TLS 1.3 functionality shared between client and server
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
22#if defined(MBEDTLS_SSL_TLS_C)
23
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]24#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]25
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]26#include <string.h>
27
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]28#include "mbedtls/error.h"
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]29#include "mbedtls/debug.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]30#include "mbedtls/oid.h"
31#include "mbedtls/platform.h"
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]32#include "mbedtls/constant_time.h"
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]33#include <string.h>
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]34
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]35#include "ssl_misc.h"
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]36#include "ssl_tls13_keys.h"
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]37
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]38int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
39 unsigned hs_type,
40 unsigned char **buf,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]41 size_t *buf_len )
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]42{
43 int ret;
44
45 if( ( ret = mbedtls_ssl_read_record( ssl, 0 ) ) != 0 )
46 {
47 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
48 goto cleanup;
49 }
50
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]51 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ||
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]52 ssl->in_msg[0] != hs_type )
53 {
XiaokangQian16c61aa2021-09-27 09:30:17 +0000[diff] [blame]54 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Receive unexpected handshake message." ) );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]55 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]56 MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]57 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
58 goto cleanup;
59 }
60
XiaokangQian05420b12021-09-29 08:46:37 +0000[diff] [blame]61 /*
62 * Jump handshake header (4 bytes, see Section 4 of RFC 8446).
63 * ...
64 * HandshakeType msg_type;
65 * uint24 length;
66 * ...
67 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]68 *buf = ssl->in_msg + 4;
69 *buf_len = ssl->in_hslen - 4;
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]70
XiaokangQian6b226b02021-09-24 07:51:16 +0000[diff] [blame]71cleanup:
72
73 return( ret );
74}
75
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]76int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]77 unsigned hs_type,
78 unsigned char **buf,
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]79 size_t *buf_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]80{
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]81 /*
82 * Reserve 4 bytes for hanshake header. ( Section 4,RFC 8446 )
83 * ...
84 * HandshakeType msg_type;
85 * uint24 length;
86 * ...
87 */
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]88 *buf = ssl->out_msg + 4;
Jerry Yu0c63af62021-09-02 12:59:12 +0800[diff] [blame]89 *buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]90
91 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
92 ssl->out_msg[0] = hs_type;
93
94 return( 0 );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]95}
96
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]97int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]98 size_t buf_len,
99 size_t msg_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]100{
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]101 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]102 size_t msg_with_header_len;
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]103 ((void) buf_len);
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]104
Jerry Yu1bc2c1f2021-09-01 12:57:29 +0800[diff] [blame]105 /* Add reserved 4 bytes for handshake header */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]106 msg_with_header_len = msg_len + 4;
107 ssl->out_msglen = msg_with_header_len;
Jerry Yu2c0fbf32021-09-02 13:53:46 +0800[diff] [blame]108 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_handshake_msg_ext( ssl, 0 ) );
Jerry Yuc8a392c2021-08-18 16:46:28 +0800[diff] [blame]109
110cleanup:
111 return( ret );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]112}
113
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]114void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
115 unsigned hs_type,
116 unsigned char const *msg,
117 size_t msg_len )
Jerry Yu7bea4ba2021-09-09 15:06:18 +0800[diff] [blame]118{
119 mbedtls_ssl_tls13_add_hs_hdr_to_checksum( ssl, hs_type, msg_len );
120 ssl->handshake->update_checksum( ssl, msg, msg_len );
121}
122
Jerry Yuf4436812021-08-26 22:59:56 +0800[diff] [blame]123void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl,
Jerry Yueecfbf02021-08-30 18:32:07 +0800[diff] [blame]124 unsigned hs_type,
125 size_t total_hs_len )
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]126{
127 unsigned char hs_hdr[4];
128
129 /* Build HS header for checksum update. */
Jerry Yu2ac64192021-08-26 18:38:58 +0800[diff] [blame]130 hs_hdr[0] = MBEDTLS_BYTE_0( hs_type );
131 hs_hdr[1] = MBEDTLS_BYTE_2( total_hs_len );
132 hs_hdr[2] = MBEDTLS_BYTE_1( total_hs_len );
133 hs_hdr[3] = MBEDTLS_BYTE_0( total_hs_len );
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]134
135 ssl->handshake->update_checksum( ssl, hs_hdr, sizeof( hs_hdr ) );
136}
137
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]138#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
139
140/*
Jerry Yue41dec02021-08-31 10:57:07 +0800[diff] [blame]141 * mbedtls_ssl_tls13_write_sig_alg_ext( )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]142 *
143 * enum {
144 * ....
145 * ecdsa_secp256r1_sha256( 0x0403 ),
146 * ecdsa_secp384r1_sha384( 0x0503 ),
147 * ecdsa_secp521r1_sha512( 0x0603 ),
148 * ....
149 * } SignatureScheme;
150 *
151 * struct {
152 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
153 * } SignatureSchemeList;
154 *
155 * Only if we handle at least one key exchange that needs signatures.
156 */
Jerry Yue41dec02021-08-31 10:57:07 +0800[diff] [blame]157int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl,
158 unsigned char *buf,
159 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]160 size_t *out_len )
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]161{
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]162 unsigned char *p = buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]163 unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */
164 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]165
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]166 *out_len = 0;
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]167
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]168 MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding signature_algorithms extension" ) );
169
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]170 /* Check if we have space for header and length field:
171 * - extension_type (2 bytes)
172 * - extension_data_length (2 bytes)
173 * - supported_signature_algorithms_length (2 bytes)
174 */
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]175 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
176 p += 6;
177
178 /*
179 * Write supported_signature_algorithms
180 */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]181 supported_sig_alg = p;
Jerry Yu08e2cea2021-12-22 10:53:23 +0800[diff] [blame]182 for( const uint16_t *sig_alg = mbedtls_ssl_conf_get_sig_algs( ssl->conf );
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]183 *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]184 {
185 MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
186 MBEDTLS_PUT_UINT16_BE( *sig_alg, p, 0 );
187 p += 2;
188 MBEDTLS_SSL_DEBUG_MSG( 3, ( "signature scheme [%x]", *sig_alg ) );
189 }
190
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]191 /* Length of supported_signature_algorithms */
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]192 supported_sig_alg_len = p - supported_sig_alg;
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]193 if( supported_sig_alg_len == 0 )
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]194 {
195 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No signature algorithms defined." ) );
196 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
197 }
198
199 /* Write extension_type */
200 MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SIG_ALG, buf, 0 );
201 /* Write extension_data_length */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]202 MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len + 2, buf, 2 );
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]203 /* Write length of supported_signature_algorithms */
Jerry Yub60e3cf2021-09-08 16:41:02 +0800[diff] [blame]204 MBEDTLS_PUT_UINT16_BE( supported_sig_alg_len, buf, 4 );
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]205
206 /* Output the total length of signature algorithms extension. */
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]207 *out_len = p - buf;
Jerry Yu72369942021-08-31 15:41:21 +0800[diff] [blame]208
209 ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
Jerry Yu75336352021-09-01 15:59:36 +0800[diff] [blame]210 return( 0 );
Jerry Yubc20bdd2021-08-24 15:59:48 +0800[diff] [blame]211}
212
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]213/*
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]214 * STATE HANDLING: Read CertificateVerify
215 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]216/* Macro to express the maximum length of the verify structure.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]217 *
218 * The structure is computed per TLS 1.3 specification as:
219 * - 64 bytes of octet 32,
220 * - 33 bytes for the context string
221 * (which is either "TLS 1.3, client CertificateVerify"
222 * or "TLS 1.3, server CertificateVerify"),
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]223 * - 1 byte for the octet 0x0, which serves as a separator,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]224 * - 32 or 48 bytes for the Transcript-Hash(Handshake Context, Certificate)
225 * (depending on the size of the transcript_hash)
226 *
227 * This results in a total size of
228 * - 130 bytes for a SHA256-based transcript hash, or
229 * (64 + 33 + 1 + 32 bytes)
230 * - 146 bytes for a SHA384-based transcript hash.
231 * (64 + 33 + 1 + 48 bytes)
232 *
233 */
Jerry Yu26c2d112021-10-25 12:42:58 +0800[diff] [blame]234#define SSL_VERIFY_STRUCT_MAX_SIZE ( 64 + \
235 33 + \
236 1 + \
237 MBEDTLS_TLS1_3_MD_MAX_SIZE \
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]238 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]239
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]240/*
241 * The ssl_tls13_create_verify_structure() creates the verify structure.
242 * As input, it requires the transcript hash.
243 *
244 * The caller has to ensure that the buffer has size at least
245 * SSL_VERIFY_STRUCT_MAX_SIZE bytes.
246 */
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]247static void ssl_tls13_create_verify_structure( const unsigned char *transcript_hash,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]248 size_t transcript_hash_len,
249 unsigned char *verify_buffer,
250 size_t *verify_buffer_len,
251 int from )
252{
253 size_t idx;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]254
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]255 /* RFC 8446, Section 4.4.3:
256 *
257 * The digital signature [in the CertificateVerify message] is then
258 * computed over the concatenation of:
259 * - A string that consists of octet 32 (0x20) repeated 64 times
260 * - The context string
261 * - A single 0 byte which serves as the separator
262 * - The content to be signed
263 */
264 memset( verify_buffer, 0x20, 64 );
265 idx = 64;
266
267 if( from == MBEDTLS_SSL_IS_CLIENT )
268 {
269 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( client_cv ) );
270 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( client_cv );
271 }
272 else
273 { /* from == MBEDTLS_SSL_IS_SERVER */
274 memcpy( verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( server_cv ) );
275 idx += MBEDTLS_SSL_TLS1_3_LBL_LEN( server_cv );
276 }
277
278 verify_buffer[idx++] = 0x0;
279
280 memcpy( verify_buffer + idx, transcript_hash, transcript_hash_len );
281 idx += transcript_hash_len;
282
283 *verify_buffer_len = idx;
284}
285
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]286static int ssl_tls13_sig_alg_is_offered( const mbedtls_ssl_context *ssl,
Jerry Yu2d0bd322022-01-12 12:58:00 +0800[diff] [blame^]287 uint16_t proposed_sig_alg )
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]288{
Jerry Yu08e2cea2021-12-22 10:53:23 +0800[diff] [blame]289 for( const uint16_t *sig_alg = mbedtls_ssl_conf_get_sig_algs( ssl->conf );
290 *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++ )
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]291 {
Jerry Yu2d0bd322022-01-12 12:58:00 +0800[diff] [blame^]292 if( *sig_alg == proposed_sig_alg )
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]293 return( 1 );
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]294 }
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]295 return( 0 );
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]296}
297
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]298static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]299 const unsigned char *buf,
300 const unsigned char *end,
301 const unsigned char *verify_buffer,
302 size_t verify_buffer_len )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]303{
304 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
305 const unsigned char *p = buf;
306 uint16_t algorithm;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]307 size_t signature_len;
308 mbedtls_pk_type_t sig_alg;
309 mbedtls_md_type_t md_alg;
Jerry Yud0fc5852021-10-29 11:09:06 +0800[diff] [blame]310 unsigned char verify_hash[MBEDTLS_MD_MAX_SIZE];
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]311 size_t verify_hash_len;
312
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]313 void const *options = NULL;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]314#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]315 mbedtls_pk_rsassa_pss_options rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]316#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
317
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]318 /*
319 * struct {
320 * SignatureScheme algorithm;
321 * opaque signature<0..2^16-1>;
322 * } CertificateVerify;
323 */
324 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
325 algorithm = MBEDTLS_GET_UINT16_BE( p, 0 );
326 p += 2;
327
328 /* RFC 8446 section 4.4.3
329 *
330 * If the CertificateVerify message is sent by a server, the signature algorithm
331 * MUST be one offered in the client's "signature_algorithms" extension unless
332 * no valid certificate chain can be produced without unsupported algorithms
333 *
334 * RFC 8446 section 4.4.2.2
335 *
336 * If the client cannot construct an acceptable chain using the provided
337 * certificates and decides to abort the handshake, then it MUST abort the handshake
338 * with an appropriate certificate-related alert (by default, "unsupported_certificate").
339 *
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]340 * Check if algorithm is an offered signature algorithm.
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]341 */
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]342 if( ! ssl_tls13_sig_alg_is_offered( ssl, algorithm ) )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]343 {
Jerry Yu982d9e52021-10-14 15:59:37 +0800[diff] [blame]344 /* algorithm not in offered signature algorithms list */
345 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "
346 "offered.",
347 ( unsigned int ) algorithm ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]348 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]349 }
350
351 /* We currently only support ECDSA-based signatures */
352 switch( algorithm )
353 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]354 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]355 md_alg = MBEDTLS_MD_SHA256;
356 sig_alg = MBEDTLS_PK_ECDSA;
357 break;
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]358 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]359 md_alg = MBEDTLS_MD_SHA384;
360 sig_alg = MBEDTLS_PK_ECDSA;
361 break;
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]362 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]363 md_alg = MBEDTLS_MD_SHA512;
364 sig_alg = MBEDTLS_PK_ECDSA;
365 break;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]366#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
Xiaofei Bai6dc90da2021-11-26 08:11:40 +0000[diff] [blame]367 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
XiaokangQiana83014d2021-11-22 07:53:34 +0000[diff] [blame]368 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Certificate Verify: using RSA PSS" ) );
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]369 md_alg = MBEDTLS_MD_SHA256;
370 sig_alg = MBEDTLS_PK_RSASSA_PSS;
371 break;
372#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]373 default:
374 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]375 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]376 }
377
378 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
379 ( unsigned int ) algorithm ) );
380
381 /*
382 * Check the certificate's key type matches the signature alg
383 */
384 if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) )
385 {
386 MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]387 goto error;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]388 }
389
390 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
391 signature_len = MBEDTLS_GET_UINT16_BE( p, 0 );
392 p += 2;
393 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, signature_len );
394
395 /* Hash verify buffer with indicated hash function */
396 switch( md_alg )
397 {
398#if defined(MBEDTLS_SHA256_C)
399 case MBEDTLS_MD_SHA256:
400 verify_hash_len = 32;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]401 ret = mbedtls_sha256( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]402 break;
403#endif /* MBEDTLS_SHA256_C */
404
405#if defined(MBEDTLS_SHA384_C)
406 case MBEDTLS_MD_SHA384:
407 verify_hash_len = 48;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]408 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 1 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]409 break;
410#endif /* MBEDTLS_SHA384_C */
411
412#if defined(MBEDTLS_SHA512_C)
413 case MBEDTLS_MD_SHA512:
414 verify_hash_len = 64;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]415 ret = mbedtls_sha512( verify_buffer, verify_buffer_len, verify_hash, 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]416 break;
417#endif /* MBEDTLS_SHA512_C */
418
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]419 default:
420 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
421 break;
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]422 }
423
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]424 if( ret != 0 )
425 {
426 MBEDTLS_SSL_DEBUG_RET( 1, "hash computation error", ret );
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]427 goto error;
Jerry Yu133690c2021-10-25 14:01:13 +0800[diff] [blame]428 }
429
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]430 MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]431#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
432 if( sig_alg == MBEDTLS_PK_RSASSA_PSS )
433 {
434 const mbedtls_md_info_t* md_info;
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]435 rsassa_pss_options.mgf1_hash_id = md_alg;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]436 if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
437 {
438 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
439 }
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]440 rsassa_pss_options.expected_salt_len = mbedtls_md_get_size( md_info );
441 options = (const void*) &rsassa_pss_options;
XiaokangQian82d34cc2021-11-03 08:51:56 +0000[diff] [blame]442 }
443#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]444
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]445 if( ( ret = mbedtls_pk_verify_ext( sig_alg, options,
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]446 &ssl->session_negotiate->peer_cert->pk,
447 md_alg, verify_hash, verify_hash_len,
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]448 p, signature_len ) ) == 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]449 {
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]450 return( 0 );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]451 }
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]452 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]453
Jerry Yu6f87f252021-10-29 20:12:51 +0800[diff] [blame]454error:
455 /* RFC 8446 section 4.4.3
456 *
457 * If the verification fails, the receiver MUST terminate the handshake
458 * with a "decrypt_error" alert.
459 */
460 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
461 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
462 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
463
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]464}
465#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
466
467int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
468{
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]469
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]470#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
471 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
472 unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
473 size_t verify_buffer_len;
474 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
475 size_t transcript_len;
476 unsigned char *buf;
477 size_t buf_len;
478
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]479 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
480
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]481 MBEDTLS_SSL_PROC_CHK(
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]482 mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]483 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]484
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]485 /* Need to calculate the hash of the transcript first
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]486 * before reading the message since otherwise it gets
487 * included in the transcript
488 */
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]489 ret = mbedtls_ssl_get_handshake_transcript( ssl,
490 ssl->handshake->ciphersuite_info->mac,
491 transcript, sizeof( transcript ),
492 &transcript_len );
493 if( ret != 0 )
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]494 {
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]495 MBEDTLS_SSL_PEND_FATAL_ALERT(
496 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
497 MBEDTLS_ERR_SSL_INTERNAL_ERROR );
498 return( ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]499 }
500
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]501 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake hash", transcript, transcript_len );
502
503 /* Create verify structure */
504 ssl_tls13_create_verify_structure( transcript,
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]505 transcript_len,
506 verify_buffer,
507 &verify_buffer_len,
508 ( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ?
509 MBEDTLS_SSL_IS_SERVER :
510 MBEDTLS_SSL_IS_CLIENT );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]511
512 /* Process the message contents */
Jerry Yu0b32c502021-10-28 13:41:59 +0800[diff] [blame]513 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate_verify( ssl, buf,
514 buf + buf_len, verify_buffer, verify_buffer_len ) );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]515
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]516 mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl,
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]517 MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, buf_len );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]518
519cleanup:
520
521 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
Jerry Yu5398c102021-11-05 13:32:38 +0800[diff] [blame]522 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_process_certificate_verify", ret );
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]523 return( ret );
Jerry Yuda8cdf22021-10-25 15:06:49 +0800[diff] [blame]524#else
525 ((void) ssl);
526 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
527 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
528#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
Jerry Yu30b071c2021-09-12 20:16:03 +0800[diff] [blame]529}
530
531/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]532 *
533 * STATE HANDLING: Incoming Certificate, client-side only currently.
534 *
535 */
536
537/*
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]538 * Implementation
539 */
540
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]541#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
542#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
543/*
544 * Structure of Certificate message:
545 *
546 * enum {
547 * X509(0),
548 * RawPublicKey(2),
549 * (255)
550 * } CertificateType;
551 *
552 * struct {
553 * select (certificate_type) {
554 * case RawPublicKey:
555 * * From RFC 7250 ASN.1_subjectPublicKeyInfo *
556 * opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
557 * case X509:
558 * opaque cert_data<1..2^24-1>;
559 * };
560 * Extension extensions<0..2^16-1>;
561 * } CertificateEntry;
562 *
563 * struct {
564 * opaque certificate_request_context<0..2^8-1>;
565 * CertificateEntry certificate_list<0..2^24-1>;
566 * } Certificate;
567 *
568 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]569
570/* Parse certificate chain send by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]571static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
572 const unsigned char *buf,
573 const unsigned char *end )
574{
575 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
576 size_t certificate_request_context_len = 0;
577 size_t certificate_list_len = 0;
578 const unsigned char *p = buf;
579 const unsigned char *certificate_list_end;
580
581 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
582 certificate_request_context_len = p[0];
Jerry Yub640bf62021-10-29 10:05:32 +0800[diff] [blame]583 certificate_list_len = MBEDTLS_GET_UINT24_BE( p, 1 );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]584 p += 4;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]585
586 /* In theory, the certificate list can be up to 2^24 Bytes, but we don't
587 * support anything beyond 2^16 = 64K.
588 */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]589 if( ( certificate_request_context_len != 0 ) ||
590 ( certificate_list_len >= 0x10000 ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]591 {
592 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
593 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
594 MBEDTLS_ERR_SSL_DECODE_ERROR );
595 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
596 }
597
598 /* In case we tried to reuse a session but it failed */
599 if( ssl->session_negotiate->peer_cert != NULL )
600 {
601 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
602 mbedtls_free( ssl->session_negotiate->peer_cert );
603 }
604
605 if( ( ssl->session_negotiate->peer_cert =
606 mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL )
607 {
608 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc( %" MBEDTLS_PRINTF_SIZET " bytes ) failed",
609 sizeof( mbedtls_x509_crt ) ) );
610 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
611 MBEDTLS_ERR_SSL_ALLOC_FAILED );
612 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
613 }
614
615 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
616
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]617 certificate_list_end = p + certificate_list_len;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]618 while( p < certificate_list_end )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]619 {
620 size_t cert_data_len, extensions_len;
621
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]622 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]623 cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]624 p += 3;
625
626 /* In theory, the CRT can be up to 2^24 Bytes, but we don't support
627 * anything beyond 2^16 = 64K. Otherwise as in the TLS 1.2 code,
628 * check that we have a minimum of 128 bytes of data, this is not
629 * clear why we need that though.
630 */
631 if( ( cert_data_len < 128 ) || ( cert_data_len >= 0x10000 ) )
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]632 {
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]633 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
634 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
635 MBEDTLS_ERR_SSL_DECODE_ERROR );
636 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
637 }
638
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]639 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, cert_data_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]640 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
641 p, cert_data_len );
642
643 switch( ret )
644 {
645 case 0: /*ok*/
646 break;
647 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
648 /* Ignore certificate with an unknown algorithm: maybe a
649 prior certificate was already trusted. */
650 break;
651
652 case MBEDTLS_ERR_X509_ALLOC_FAILED:
653 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
654 MBEDTLS_ERR_X509_ALLOC_FAILED );
655 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
656 return( ret );
657
658 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
659 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
660 MBEDTLS_ERR_X509_UNKNOWN_VERSION );
661 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
662 return( ret );
663
664 default:
665 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT,
666 ret );
667 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
668 return( ret );
669 }
670
671 p += cert_data_len;
672
673 /* Certificate extensions length */
674 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 2 );
675 extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
676 p += 2;
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]677 MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]678 p += extensions_len;
679 }
680
681 /* Check that all the message is consumed. */
682 if( p != end )
683 {
684 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
685 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
686 MBEDTLS_ERR_SSL_DECODE_ERROR );
687 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
688 }
689
690 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
691
692 return( ret );
693}
694#else
695static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
696 const unsigned char *buf,
697 const unsigned char *end )
698{
699 ((void) ssl);
700 ((void) buf);
701 ((void) end);
702 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
703}
704#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
705#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
706
707#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
708#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]709/* Validate certificate chain sent by the server. */
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]710static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
711{
712 int ret = 0;
713 mbedtls_x509_crt *ca_chain;
714 mbedtls_x509_crl *ca_crl;
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]715 uint32_t verify_result = 0;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]716
717#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
718 if( ssl->handshake->sni_ca_chain != NULL )
719 {
720 ca_chain = ssl->handshake->sni_ca_chain;
721 ca_crl = ssl->handshake->sni_ca_crl;
722 }
723 else
724#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
725 {
726 ca_chain = ssl->conf->ca_chain;
727 ca_crl = ssl->conf->ca_crl;
728 }
729
730 /*
731 * Main check: verify certificate
732 */
733 ret = mbedtls_x509_crt_verify_with_profile(
734 ssl->session_negotiate->peer_cert,
735 ca_chain, ca_crl,
736 ssl->conf->cert_profile,
737 ssl->hostname,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]738 &verify_result,
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]739 ssl->conf->f_vrfy, ssl->conf->p_vrfy );
740
741 if( ret != 0 )
742 {
743 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
744 }
745
746 /*
747 * Secondary checks: always done, but change 'ret' only if it was 0
748 */
749
750#if defined(MBEDTLS_ECP_C)
751 {
752 const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
753
754 /* If certificate uses an EC key, make sure the curve is OK */
755 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
756 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
757 {
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]758 verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]759
760 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( EC key curve )" ) );
761 if( ret == 0 )
762 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
763 }
764 }
765#endif /* MBEDTLS_ECP_C */
766
767 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
768 ssl->handshake->ciphersuite_info,
769 !ssl->conf->endpoint,
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]770 &verify_result ) != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]771 {
772 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate ( usage extensions )" ) );
773 if( ret == 0 )
774 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
775 }
776
777
778 if( ca_chain == NULL )
779 {
780 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
781 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
782 }
783
784 if( ret != 0 )
785 {
786 /* The certificate may have been rejected for several reasons.
787 Pick one and send the corresponding alert. Which alert to send
788 may be a subject of debate in some cases. */
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]789 if( verify_result & MBEDTLS_X509_BADCERT_OTHER )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]790 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]791 else if( verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]792 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret );
Xiaofei Baif93cbd22021-10-29 02:39:30 +0000[diff] [blame]793 else if( verify_result & ( MBEDTLS_X509_BADCERT_KEY_USAGE |
794 MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
795 MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
796 MBEDTLS_X509_BADCERT_BAD_PK |
797 MBEDTLS_X509_BADCERT_BAD_KEY ) )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]798 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]799 else if( verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]800 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]801 else if( verify_result & MBEDTLS_X509_BADCERT_REVOKED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]802 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret );
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]803 else if( verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]804 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret );
805 else
806 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret );
807 }
808
809#if defined(MBEDTLS_DEBUG_C)
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]810 if( verify_result != 0 )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]811 {
812 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
Jerry Yu83bb1312021-10-28 22:16:33 +0800[diff] [blame]813 (unsigned int) verify_result ) );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]814 }
815 else
816 {
817 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
818 }
819#endif /* MBEDTLS_DEBUG_C */
820
Xiaofei Baiff456022021-10-28 06:50:17 +0000[diff] [blame]821 ssl->session_negotiate->verify_result = verify_result;
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]822 return( ret );
823}
824#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
825static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl )
826{
827 ((void) ssl);
828 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
829}
830#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
831#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
832
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]833int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]834{
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]835 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
836 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
837
838#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
839 unsigned char *buf;
840 size_t buf_len;
841
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]842 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg(
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]843 ssl, MBEDTLS_SSL_HS_CERTIFICATE,
844 &buf, &buf_len ) );
845
846 /* Parse the certificate chain sent by the peer. */
847 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_certificate( ssl, buf, buf + buf_len ) );
848 /* Validate the certificate chain and set the verification results. */
849 MBEDTLS_SSL_PROC_CHK( ssl_tls13_validate_certificate( ssl ) );
850
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]851 mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CERTIFICATE,
852 buf, buf_len );
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]853
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]854cleanup:
855
856 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
Xiaofei Bai10aeec02021-10-26 09:50:08 +0000[diff] [blame]857#else
858 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
859 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
860#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
Xiaofei Bai79595ac2021-10-26 07:16:45 +0000[diff] [blame]861 return( ret );
Xiaofei Bai947571e2021-09-29 09:12:03 +0000[diff] [blame]862}
863
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]864/*
865 *
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]866 * STATE HANDLING: Incoming Finished message.
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]867 */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]868/*
869 * Implementation
870 */
871
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]872static int ssl_tls13_preprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]873{
874 int ret;
875
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]876 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]877 ssl->handshake->state_local.finished_in.digest,
878 sizeof( ssl->handshake->state_local.finished_in.digest ),
879 &ssl->handshake->state_local.finished_in.digest_len,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]880 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]881 MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]882 if( ret != 0 )
883 {
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]884 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_calculate_verify_data", ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]885 return( ret );
886 }
887
888 return( 0 );
889}
890
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]891static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
892 const unsigned char *buf,
893 const unsigned char *end )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]894{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]895 /*
896 * struct {
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]897 * opaque verify_data[Hash.length];
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]898 * } Finished;
899 */
900 const unsigned char *expected_verify_data =
901 ssl->handshake->state_local.finished_in.digest;
902 size_t expected_verify_data_len =
903 ssl->handshake->state_local.finished_in.digest_len;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]904 /* Structural validation */
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]905 if( (size_t)( end - buf ) != expected_verify_data_len )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]906 {
907 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
908
909 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]910 MBEDTLS_ERR_SSL_DECODE_ERROR );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]911 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
912 }
913
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]914 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (self-computed):",
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]915 expected_verify_data,
916 expected_verify_data_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]917 MBEDTLS_SSL_DEBUG_BUF( 4, "verify_data (received message):", buf,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]918 expected_verify_data_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]919
920 /* Semantic validation */
Gabor Mezei685472b2021-11-24 11:17:36 +0100[diff] [blame]921 if( mbedtls_ct_memcmp( buf,
922 expected_verify_data,
923 expected_verify_data_len ) != 0 )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]924 {
925 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
926
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]927 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]928 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]929 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
930 }
931 return( 0 );
932}
933
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]934#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]935static int ssl_tls13_postprocess_server_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]936{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]937 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]938 mbedtls_ssl_key_set traffic_keys;
XiaokangQian1aef02e2021-10-28 09:54:34 +0000[diff] [blame]939 mbedtls_ssl_transform *transform_application = NULL;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]940
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]941 ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]942 if( ret != 0 )
943 {
944 MBEDTLS_SSL_DEBUG_RET( 1,
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]945 "mbedtls_ssl_tls13_key_schedule_stage_application", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]946 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]947 }
948
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]949 ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]950 if( ret != 0 )
951 {
952 MBEDTLS_SSL_DEBUG_RET( 1,
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]953 "mbedtls_ssl_tls13_generate_application_keys", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]954 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]955 }
956
957 transform_application =
958 mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
959 if( transform_application == NULL )
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]960 {
961 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
962 goto cleanup;
963 }
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]964
965 ret = mbedtls_ssl_tls13_populate_transform(
966 transform_application,
967 ssl->conf->endpoint,
968 ssl->session_negotiate->ciphersuite,
969 &traffic_keys,
970 ssl );
971 if( ret != 0 )
972 {
973 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]974 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]975 }
976
977 ssl->transform_application = transform_application;
978
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]979cleanup:
980
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]981 mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]982 if( ret != 0 )
XiaokangQian1aef02e2021-10-28 09:54:34 +0000[diff] [blame]983 {
984 mbedtls_free( transform_application );
985 MBEDTLS_SSL_PEND_FATAL_ALERT(
986 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
987 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
988 }
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]989 return( ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]990}
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]991#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]992
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]993static int ssl_tls13_postprocess_finished_message( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]994{
995
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]996#if defined(MBEDTLS_SSL_CLI_C)
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]997 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
998 {
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]999 return( ssl_tls13_postprocess_server_finished_message( ssl ) );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1000 }
XiaokangQianc13f9352021-11-11 06:13:22 +0000[diff] [blame]1001#else
1002 ((void) ssl);
1003#endif /* MBEDTLS_SSL_CLI_C */
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1004
1005 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1006}
1007
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1008int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
1009{
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1010 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1011 unsigned char *buf;
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1012 size_t buf_len;
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1013
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1014 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1015
1016 /* Preprocessing step: Compute handshake digest */
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1017 MBEDTLS_SSL_PROC_CHK( ssl_tls13_preprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1018
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1019 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1020 MBEDTLS_SSL_HS_FINISHED,
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1021 &buf, &buf_len ) );
1022 MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buf_len ) );
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1023 mbedtls_ssl_tls13_add_hs_msg_to_checksum(
Xiaofei Baieef15042021-11-18 07:29:56 +0000[diff] [blame]1024 ssl, MBEDTLS_SSL_HS_FINISHED, buf, buf_len );
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]1025 MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_finished_message( ssl ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1026
1027cleanup:
1028
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1029 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished message" ) );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1030 return( ret );
1031}
1032
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1033/*
1034 *
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1035 * STATE HANDLING: Write and send Finished message.
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1036 *
1037 */
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1038/*
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1039 * Implement
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1040 */
1041
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1042static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1043{
1044 int ret;
1045
1046 /* Compute transcript of handshake up to now. */
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1047 ret = mbedtls_ssl_tls13_calculate_verify_data( ssl,
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1048 ssl->handshake->state_local.finished_out.digest,
1049 sizeof( ssl->handshake->state_local.finished_out.digest ),
1050 &ssl->handshake->state_local.finished_out.digest_len,
1051 ssl->conf->endpoint );
1052
1053 if( ret != 0 )
1054 {
Jerry Yu7ca30542021-12-08 15:57:57 +0800[diff] [blame]1055 MBEDTLS_SSL_DEBUG_RET( 1, "calculate_verify_data failed", ret );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1056 return( ret );
1057 }
1058
1059 return( 0 );
1060}
1061
XiaokangQiancc90c942021-11-09 12:30:09 +0000[diff] [blame]1062static int ssl_tls13_finalize_finished_message( mbedtls_ssl_context *ssl )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1063{
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]1064 // TODO: Add back resumption keys calculation after MVP.
1065 ((void) ssl);
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1066
1067 return( 0 );
1068}
1069
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1070static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1071 unsigned char *buf,
1072 unsigned char *end,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1073 size_t *out_len )
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1074{
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1075 size_t verify_data_len = ssl->handshake->state_local.finished_out.digest_len;
XiaokangQian0fa66432021-11-15 03:33:57 +0000[diff] [blame]1076 /*
1077 * struct {
1078 * opaque verify_data[Hash.length];
1079 * } Finished;
1080 */
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1081 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1082
1083 memcpy( buf, ssl->handshake->state_local.finished_out.digest,
XiaokangQian8773aa02021-11-10 07:33:09 +0000[diff] [blame]1084 verify_data_len );
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1085
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1086 *out_len = verify_data_len;
XiaokangQian74af2a82021-09-22 07:40:30 +0000[diff] [blame]1087 return( 0 );
1088}
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]1089
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1090/* Main entry point: orchestrates the other functions */
1091int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl )
1092{
1093 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1094 unsigned char *buf;
1095 size_t buf_len, msg_len;
1096
1097 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished message" ) );
1098
XiaokangQiandce82242021-11-15 06:01:26 +0000[diff] [blame]1099 MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_finished_message( ssl ) );
1100
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1101 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl,
1102 MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len ) );
1103
1104 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_finished_message_body(
1105 ssl, buf, buf + buf_len, &msg_len ) );
1106
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1107 mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
1108 buf, msg_len );
XiaokangQian35dc6252021-11-11 08:16:19 +0000[diff] [blame]1109
1110 MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_finished_message( ssl ) );
1111 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg( ssl,
1112 buf_len, msg_len ) );
1113 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) );
1114
1115cleanup:
1116
1117 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished message" ) );
1118 return( ret );
1119}
1120
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1121void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
1122{
1123
1124 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
1125
1126 /*
Jerry Yucfe64f02021-11-15 13:54:06 +0800[diff] [blame]1127 * Free the previous session and switch to the current one.
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1128 */
1129 if( ssl->session )
1130 {
Jerry Yu378254d2021-10-30 21:44:47 +0800[diff] [blame]1131 mbedtls_ssl_session_free( ssl->session );
1132 mbedtls_free( ssl->session );
1133 }
1134 ssl->session = ssl->session_negotiate;
1135 ssl->session_negotiate = NULL;
1136
1137 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
1138}
1139
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1140/*
1141 *
1142 * STATE HANDLING: Write ChangeCipherSpec
1143 *
1144 */
1145#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
1146
1147static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl,
1148 unsigned char *buf,
1149 unsigned char *end,
1150 size_t *olen )
1151{
1152 ((void) ssl);
1153
1154 MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 1 );
1155 buf[0] = 1;
1156 *olen = 1;
1157
1158 return( 0 );
1159}
1160
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1161int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl )
1162{
1163 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1164
1165 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
1166
1167 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_flush_output( ssl ) );
1168
1169 /* Write CCS message */
1170 MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_change_cipher_spec_body(
1171 ssl, ssl->out_msg,
1172 ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN,
1173 &ssl->out_msglen ) );
1174
1175 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
1176
Ronald Cron49ad6192021-11-24 16:25:31 +0100[diff] [blame]1177 /* Dispatch message */
1178 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 1 ) );
1179
1180cleanup:
1181
1182 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
1183 return( ret );
1184}
1185
1186#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
1187
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]1188#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
Jerry Yu65dd2cc2021-08-18 16:38:40 +0800[diff] [blame]1189
1190#endif /* MBEDTLS_SSL_TLS_C */